Skip to main content

Hey Everyone,

I'm having some trouble with authentication of Cisco ISE & Jamf Pro over Ethernet. My Macs are not domain bound and are using Jamf Connect and Intune registered via Jamf and ADCS. If anyone has some leads enabling User Auth without domain bound macs this would be awesome, after I get the wired working right.

My ADCS Cert
Certificate Subject= CN=$COMPUTERNAME
SAN Type= URI
SAN Name= ID:JAMF:GUID:$MANAGEMENTID
Allow All Apps Access= Unchecked
Allow Export= Unchecked

My Ethernet Config Profile

My Ethernet profile may once randomly auth properly then just fails time after time and I'm thinking I have the wired setup all wrong. When authenticating ISE reaches out to Jamf with the MAC address of the USB Hub connected to the Mac and it fails device compliance stating the device is not found in Jamf and to register.

The failures, return a MDM.MDM-GUID:MacAddress of the USB Hub VS a successful auth has this value MDM.MDM-GUID: empty. Instead the mac address of the USB Hub is in the MDM.macaddress=MacAddress and the mdm.UDID=UDIDofMac is looked up properly with the mac marked as compliant. I'm not sure what I'm doing wrong. I had this working before on wired, but after we renewed one of our certificates and purged the device cache from ISE the Wired policy almost never works.

I attribute part of the failure to the USB Hub mac address technically not being in Jamf. But it's supposed to look up against the UDID? Wireless works every time as that MAC Address is in Jamf and it can find the device directly no problem. What am I doing wrong?


We have had some issues with certain mac models and dongle ethernet as well. Though we use ICE to authenticate a machine cert (pulled via ADCS) against radius auth to verify the computer name is in AD. Our macs are not bound to AD (we manually add the computer in AD) One of our fixed was to make sure the dongle was connected prior to pushing the Config Profile. Other than that perhaps create a new profile with the verified correct new certs and try pushing to a clean test mac. I have seen jamf not update the certs in the Network Config profile properly in an older version of jamfpro.

We have had some issues with certain mac models and dongle ethernet as well. Though we use ICE to authenticate a machine cert (pulled via ADCS) against radius auth to verify the computer name is in AD. Our macs are not bound to AD (we manually add the computer in AD) One of our fixed was to make sure the dongle was connected prior to pushing the Config Profile. Other than that perhaps create a new profile with the verified correct new certs and try pushing to a clean test mac. I have seen jamf not update the certs in the Network Config profile properly in an older version of jamfpro.


Hey Mojo,
I've recreated the profile and Wireless is still succeeding however Wired continues to fail. It seems no matter if I change the ethernet to Any, First Connected it seems to get stuck on the MAC Address of the ethernet adapter and it's not looking up the Mac in Jamf against the UDID in Jamf and GUID in the SAN of the ADCS Cert. At first we started with wired authentication and it was working as intended, Jamf would return the UDID, Compliance and MAC of the adapter to ISE and authenticate through. I do not have the Mac's in AD, even just as fake accounts but that might be something I can try. 

Do you mind if I ask how you are setting your ethernet policy? Are you using First Connected or Any connected ethernet?

Hey Mojo,
I've recreated the profile and Wireless is still succeeding however Wired continues to fail. It seems no matter if I change the ethernet to Any, First Connected it seems to get stuck on the MAC Address of the ethernet adapter and it's not looking up the Mac in Jamf against the UDID in Jamf and GUID in the SAN of the ADCS Cert. At first we started with wired authentication and it was working as intended, Jamf would return the UDID, Compliance and MAC of the adapter to ISE and authenticate through. I do not have the Mac's in AD, even just as fake accounts but that might be something I can try. 

Do you mind if I ask how you are setting your ethernet policy? Are you using First Connected or Any connected ethernet?


We are using First Active Ethernet.

We are using First Active Ethernet.


Good to know. I think for right now the ISE configuration profile is good but ISE is not looking at the GUID when it gets the response from Jamf and only goes off the MAC of the USB Hub which is the real problem I believe. Even with an EA to capture the USB Hub's MAC, ISE has no way to look at it. 

Hi Levi

Did you get Cisco ISE sorted with Macs using ethernet adapters?

Thanks

 

Reply


Terms & ConditionsCookie settings